Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9425 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response. | |||||
| CVE-2020-9404 | 1 Pactware | 1 Pactware | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords. | |||||
| CVE-2020-9403 | 1 Pactware | 1 Pactware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation. | |||||
| CVE-2020-9337 | 1 Golfbuddyglobal | 1 Course Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request. | |||||
| CVE-2020-9330 | 1 Xerox | 36 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 33 more | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices. | |||||
| CVE-2020-9324 | 1 Aquaforest | 1 Tiff Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC. | |||||
| CVE-2020-9275 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials. | |||||
| CVE-2020-9023 | 1 Iteris | 2 Vantage Velocity, Vantage Velocity Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password eclipse). Also, bluetooth is the root password. | |||||
| CVE-2020-8994 | 1 Mi | 2 Mdz-25-dt, Mdz-25-dt Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered on XIAOMI AI speaker MDZ-25-DT 1.34.36, and 1.40.14. Attackers can get root shell by accessing the UART interface and then they can read Wi-Fi SSID or password, read the dialogue text files between users and XIAOMI AI speaker, use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, eavesdrop on users and record what XIAOMI AI speaker hears, delete the entire XIAOMI AI speaker system, modify system files, stop voice assistant service, start the XIAOMI AI speaker’s SSH service as a backdoor | |||||
| CVE-2020-8988 | 1 Voatz | 1 Voatz | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Voatz application 2020-01-01 for Android allows only 100 million different PINs, which makes it easier for attackers (after using root access to make a copy of the local database) to discover login credentials and voting history via an offline brute-force approach. | |||||
| CVE-2020-8422 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). | |||||
| CVE-2020-8259 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | |||||
| CVE-2020-8210 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient protection of secrets in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 discloses credentials of a service account. | |||||
| CVE-2020-8183 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | |||||
| CVE-2020-8152 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. | |||||
| CVE-2020-7945 | 1 Puppet | 1 Continuous Delivery | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. | |||||
| CVE-2020-7909 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI. | |||||
| CVE-2020-7908 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| In JetBrains TeamCity before 2019.1.5, reverse tabnabbing was possible on several pages. | |||||
| CVE-2020-7307 | 1 Mcafee | 1 Data Loss Prevention | 2024-11-21 | 2.1 LOW | 5.2 MEDIUM |
| Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials. | |||||
| CVE-2020-7306 | 1 Mcafee | 1 Data Loss Prevention | 2024-11-21 | 2.1 LOW | 5.2 MEDIUM |
| Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the ADRMS username and password via unprotected log files containing plain text | |||||